JustDial breach leaks personal data of more than 100 million users

The report revealed that the problematic API endpoint was online since 2015. It is unclear if anyone knew about the security issue prior to this or if the JustDial user data was used previously in any malicious capacity.

Information about a new and massive data breach has surfaced online. According to a report, it looks like JustDial, the local search service has just suffered a huge data breach. Taking a closer look at the incident, personal information of more than 100 million users was exposed in the data breach. This information includes names, mobile numbers, email IDs, gender, date of birth and even their addresses. This breach was initially discovered by Rajshekhar Rajaharia, an independent security researcher who disclosed the issue in a post on his Facebook account.

After Rajaharia posted about the data breach, it was picked up by The Hacker News. According to Rajaharia, 70 percent of the leaked data belonged to users who had used the customer care number of JustDial, “88888 88888”. He revealed that the company was also leaking the images, the company that the users worked at, their occupation and all other details that a JustDial profile typically asks the user to fill up during signup. As part of the Facebook post, Rajaharia revealed that he had tried to get in touch with the technology or the security team for JustDial but to no avail.

Watch: Android Q First Look

According to the report, this information was exposed because of an unprotected, API endpoint that was publicly accessible to anyone and everyone online. Another shocking thing to see here is that the problematic API endpoint was online since 2015. It is unclear if anyone knew about the security issue prior to this or if the JustDial user data was used previously in any malicious capacity. The report also noted that the API could be used to fetch the personal information of newly registered users in real time.

It is worth noting that the offending API endpoint is old and the company is not currently using it. Instead, the company is using a new API endpoint which is protected and comes with authentication measures to protect the user data. Similar to the new API endpoint, the new JustDial website was not suffering from the breach. In addition to this, Rajshekhar was also able to find “a few other old” API endpoints that were not protected. What is problematic is how all this data can be used for identity theft.

Also Read

A report by The Economic Times stated that JustDial reached out to Rajaharia regarding the issue but it was unable to fix the issue at the time of writing. It also noted that the company refuted claims about the data breach of about 100 million users in a statement. JustDial clarified that no financial data was ever leaked from the website and stated that the older apps were fixed with encryption. Last but not least, the company has also issued a “tech-audit” to discover any such hidden issues and fix them.